5 ways to secure your containers for docker and beyond
TRANSCRIPT
5 Ways to Secure Your Containers for Docker
and Beyond
7 of the top 10 Software Companies
(44 of the top 100)
6 of the top 8Mobile Handset Vendors
6 of the top 10 Investment Banks
24Countries
250+Employees
1,800Customers
Who is Black Duck Software?
27Founded
2002
Understanding Container
Technologies
Docker 1.10 and and later
Level Set: What is a Container?
Linux Containers Docker 1.10 and prior
Linux kernel
namespaces cgroups
SELinux/AppArmor
liblxc
Linux kernel
namespaces cgroups
SELinux/AppArmor
Docker
libcontainer
Container Container Container Container Container Container
Docker Engine
runC
containerd
runC runC
containerd-shim containerd-shim containerd-shim
Container Use Cases
Application containers
• Hold a single application
• Can follow micro-services design pattern
• Starting point for most container usage
• Short lifespan, many per host
System containers
• Proxy for a VM
• Insulate against core operating system
• Perfect for legacy apps
• Long lifespan, few per host
MyS
QL
Tom
cat
ngin
x
Kernel
MySQL
Tomcat
nginx
Kernel
Are Containers Production Ready?
Container Deployment Models
Container Deployment Models
Securing the Container
Contents and Environment
#1 – Trust Your Container Source
Atomic Host
Ato
mic
App
Ato
mic
App
Ato
mic
Nule
cule
Ato
mic
Nule
cule
RedHat Registry
MyS
QL
Redis
Jenkin
s
Docker Hub
Docker
Conta
iner
Docker
Conta
iner
Docker
Conta
iner
Docker
Conta
iner
Docker
Conta
iner
Third Party and Custom
Problem: Who to trust, and why?
• Trusted source?
• Unexpected image contents
• Locked application layer
versions (e.g. no yum update)
• Layer dependencies
(monolithic vs micro-services)
• Validated when?
DEVELOPER DOWNLOADS
OUTSOURCED DEVELOPMENT
THIRD PARTY LIBRARIES
CODE REUSE
APPROVED COMPONENTS
COMMERCIAL APPS
OPEN SOURCE CODE
Remember – Open Source Components are Ubiquitous
#2 – Determine Who Can Launch A Container
Container default is root access
• RBAC/ABAC is orchestration specific
Docker Datacenter
• Universal Control Plane
• RBAC – LDAP/AD/local users
• Full/Restricted/View/None
Kubernetes
• Authorization modules
• Admission controllers
#3 – Define Sensible Network Policies
• Docker default network is Linux Bridge
• Access policy defined in iptables
• Based on Docker daemon startup
• External communication on by default
• -- iptables=off to disable iptables modification
• Inter container communication on by default
• -- icc=false to disable inter container communication
• -- link=CONTAINER_NAME_or_ID:ALIAS with EXPOSE ports from Docker file
• All inter-container/cross host communication is external
• `docker network` command simplifies aspects of network design
• Create user defined networks, including overlay networks
• docker network create --driver bridge sql
Docker Networking - Example
Host
eth0/10.204.136.1
Conta
iner
veth
0
Conta
iner
veth
1
Conta
iner
ve
th2
Conta
iner
veth
3
Conta
iner
veth
4
Conta
iner
ve
th5
docker0
NAT/ 172.16.1.0/24
iptables
Host
docker0
eth0/10.204.136.2
Conta
iner
veth
0
Conta
iner
veth
1
Conta
iner
ve
th2
Conta
iner
veth
3
Conta
iner
veth
4
Conta
iner
ve
th5
NAT/ 172.16.1.0/24
iptables
Host
Kubernetes Networking - Example
Kubernetes Network
eth0/10.204.136.20
Pod
Conta
iner
Pause
Conta
iner
Conta
iner
veth0/10.204.136.21
Pod
Conta
iner
Pause
Conta
iner
Conta
iner
veth0/10.204.136.22
Host
Kubernetes Network
eth0/10.204.136.10
Pod
Conta
iner
Pause
Conta
iner
Conta
iner
veth0/10.204.136.11
PodC
onta
iner
Pause
Conta
iner
Conta
iner
veth0/10.204.136.12
0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open Source Vulnerabilities Reported Per YearBDS-exclusive nvd
Reference: Black Duck Software Knowledgebase, NVD
#4 – Perform Vulnerability Tracking
Knowledge is Key. Can You Keep Up?
glibc
Bug
Reported
July 2015
Vuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
May 2008
glibc
Bug
Reported
July 2015
CVE-2015-
7547
CVE
Assigned
Feb 16-2016
Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
May 2008
CVE-2015-
7547
CVE
Assigned
Feb 16-2016
glibc
Bug
Reported
July 2015
National
Vulnerability
Database
Vuln
Published
Feb 18-2016
Moderate Security Risk
Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
National
Vulnerability
Database
Vuln
Published
You
Find It
May 2008
CVE-2015-
7547
CVE
Assigned
Feb 16-2016 Feb 18-2016
glibc
Bug
Reported
July 2015
Patches
Available
You
Fix It
Highest Security Risk
Moderate Security Risk
Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
#5 – Limit the Scope of Compromise
• Enable Linux Security Modules
• SELinux
• --selinux-enabled on Docker engine, --security-opt=“label:profile”
• AppArmor
• -- security-opt=“apparmor:profile”
• Apply Linux kernel security profiles
• grsecurity, PaX and seccomp protections for ALSR and RBAC
• Adjust privileged kernel capabilities
• Reduce capabilities with --cap-drop
• Beware –cap-add and –privileged=false, and CAP_SYS_ADMIN
• Use a minimal Linux Host OS
• Atomic host, CoreOS, RancherOS
• Reduce impact of noisy neighbors
• Use cgroups to set CPU shares and memory
Using Black Duck Hub to Simplify
Container Security
Attackers Decide What’s Valuable …
But security investment is often not aligned with actual risks
Black Duck Hub Architecture
Hub Scan1 File and Directory Signatures2 Open Source
Component Identified
3
Hub Web ApplicationBlack Duck
KnowledgeBase
On Premises Black Duck Data Center
8,500WEBSITES
350BILLION LINES OF CODE
2,400LICENSE TYPES
1.5MILLION PROJECTS
76,000VULNERABILITIES
• Largest database of open source project
information in the world.
• Vulnerabilities coverage extended through
partnership with Risk Based Security.
• The KnowledgeBase is essential for identifying
and solving open source issues.
Comprehensive KnowledgeBase
Hub Provides Easy Methods to Determine Risk
Open source license compliance
• Ensure project dependencies are understood
Use of vulnerable open source components
• Is component a fork or dependency?
• How is component linked?
Operational risk
• Can you differentiate between “stable” and “dead”?
• Is there a significant change set in your future?
• API versioning
• Security response process for project
Integrations Matter
INVENTORY
Open Source
Software
MAPKnown Security
Vulnerabilities
IDENTIFYLicense
Compliance Risks
TRACKRemediation
Priorities &
Progress
ALERTNew Vulnerabilities
Affecting You
INVENTORY
Open Source
Software
MAPKnown Security
Vulnerabilities
IDENTIFYLicense
Compliance Risks
TRACKRemediation
Priorities &
Progress
ALERTNew Vulnerabilities
Affecting You
We Need Your Help
Knowledge is power• Know what’s running and why
• Define proactive vulnerability response process
• Don’t let technology hype cycle dictate security
Invest in defense in depth models• Don’t rely on perimeter security to do heavy lifting
• Do look at hypervisor & container trends in security
• Make developers and ops teams part of the solution
• Do embed security into deployment process
Together we can build a more secure data center
Free Tools to Help
Free Docker Container Security Scanner
• https://info.blackducksoftware.com/Security-Scan.html
14 Day Free Trial to Black Duck Hub
• https://info.blackducksoftware.com/Demo.html
• Red Hat Atomic Host Integration (Requires Black Duck Hub)
• atomic scan --scanner blackduck [container]
Recap: Top 5 Ways to Secure Your Production Containers
Know the source of your container images
Create well defined authorization and authentication model
Implement a restrictive network policy
Limit scope of compromise in container host
Monitor deployments for vulnerability disclosures
If you have any questions on the content in this presentation
Tweet Tim Mackey @TimInTech or Black Duck Software
@black_duck_sw, and use the hashtag #5ways in your question. Follow
us such that we can use direct messages for detailed discussion. It’s
likely we’ll convert the question into a blog post such that everyone
benefits from the discussion.
Q&A